Re: [Cfrg] AES-based PRF - comment please

[daw@mozart.cs.berkeley.edu (David Wagner)]

Uri Blumenthal  wrote:
>Here's a proposed PRF based on AES block cipher.

For those who aren't on IPSec mailing list, Hugo Krawczyk and I have
pointed out that this construction requires something more than just
the assumption that AES is a PRP -- some additional assumptions are
required for this construction to be secure.

In general, I am somewhat skeptical of constructions which assume that
AES is something more than a PRP; most analysis of AES has been on its
security as a PRP.

Also, in general, given that we already have PRF's with well-justified
security arguments, I think any new proposal of a PRF ought to come
with a careful proof of security under some well-specified set of
assumptions.
_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg